Hi!
[announce goes both to net@ and pf@, but any discussion should
go on on pf at FreeBSD.org only, please]
As you already may now, last half a year I've been working on
making pf SMP-scalable and faster in general. More info can be
found here:
http://lists.freebsd.org/pipermail/f...ne/006643.htmlhttp://lists.freebsd.org/pipermail/f...ne/006662.html
Since that announce in June, I've been running experimental code for
more than 2 months in production on several routers. Also, some brave
people volunteered to be beta-testers and also run the experimental
branch in last couple of months. Code proved to be stable enough.
The new code performs better in production: less CPU load, less
jitter, more responsive system under high load. It performs better
under synthetic benchmarks like random generated UDP flood. It
performs much better when DoS comes in.
Thus, I plan to merge projects/pf/head to head this weekend, and
this is a HEADS UP email! You have been warned. :)
What I'd like to do next:
1) Move pf out of contrib.
2) Refactor the pfvar.h into pf.h and pf_var.h. Provide stable
kernel<->pfctl ABI. And probably other clean up tasks.
...
3) ... too far to build any plans, yet. :)
--
Totus tuus, Glebius.

__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump